GitHub user ivmaykov opened a pull request:
https://github.com/apache/zookeeper/pull/710
ZOOKEEPER-3195: TLS - disable client-initiated renegotiation
Summary: client-initiated renegotiation is insecure and is vulnerable to
MITM attacks.
Unfortunately, the feature is enabled in Java by default. This disables it.
See https://bugs.openjdk.java.net/browse/JDK-7188658 and
https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
Test Plan: manually tested by running a secure ZK server and probing the
listening port
with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8,
9, 10, and 11.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3195
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/710.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #710
----
commit 027d7d24912dc7a00d798a77196f83be06229755
Author: Ilya Maykov <ilyam@...>
Date: 2018-11-20T23:30:23Z
ZOOKEEPER-3195: TLS - disable client-initiated renegotiation
Summary: client-initiated renegotiation is insecure and is vulnerable to
MITM attacks.
Unfortunately, the feature is enabled in Java by default. This disables it.
See https://bugs.openjdk.java.net/browse/JDK-7188658 and
https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
Test Plan: manually tested by running a secure ZK server and probing the
listening port
with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8,
9, 10, and 11.
----
---
